MuddyWater

Background

MuddyWater is an Iranian cyber espionage group attributed to Iran's Ministry of Intelligence and Security (MOIS) by US Cyber Command in January 2022. Active since at least 2017, the group primarily targets organizations in the Middle East, with particular focus on countries that are geopolitical rivals of Iran, including Saudi Arabia, the UAE, Israel, Turkey, and Iraq. MuddyWater has also conducted operations against targets in South Asia, Central Asia, Europe, and North America, reflecting Iran's broad intelligence collection requirements.

The group operates as a subordinate element of the MOIS, which is responsible for Iran's civilian intelligence operations and counterintelligence. MuddyWater's tasking appears focused on collecting strategic intelligence from government ministries, diplomatic organizations, military institutions, and telecommunications providers to support Iranian foreign policy objectives and regional influence operations. The MOIS attribution distinguishes MuddyWater from IRGC-affiliated groups like Charming Kitten and suggests a focus on state-level intelligence rather than operational or military intelligence.

MuddyWater is characterized by its heavy reliance on publicly available tools and living-off-the-land techniques, combined with custom PowerShell-based implants. The group has shown a consistent pattern of rapidly adopting legitimate remote monitoring and management (RMM) tools for command and control, including Atera, ScreenConnect, Syncro, and SimpleHelp. This approach reduces development costs, blends malicious activity with legitimate administration traffic, and complicates attribution. Despite using commodity tools, MuddyWater demonstrates sophisticated social engineering and operational security.

Notable Campaigns

Operation Quicksand (2018-2019)

MuddyWater conducted a widespread espionage campaign targeting government organizations and telecommunications providers across the Middle East and South Asia. The campaign used spear-phishing emails with malicious macro-enabled documents that deployed the group's signature POWERSTATS backdoor. Targets included government ministries in Saudi Arabia, Iraq, Pakistan, and Turkey. The campaign demonstrated MuddyWater's ability to conduct sustained, multi-country operations simultaneously.

Telecommunications Sector Targeting (2019-2020)

MuddyWater systematically targeted telecommunications companies in the Middle East and Central Asia, seeking access to call detail records, subscriber information, and network infrastructure data. This targeting pattern is consistent with Iranian intelligence requirements to monitor communications of dissidents, opposition figures, and foreign intelligence operatives operating in the region. The group used a combination of spear-phishing and exploitation of Exchange Server vulnerabilities to gain initial access.

COVID-19 Themed Operations (2020)

During the early months of the pandemic, MuddyWater adapted its lures to exploit COVID-19 themes, sending phishing emails disguised as health advisories and government pandemic response communications. Targets included government health ministries and international organizations in the Middle East. The rapid pivot to pandemic-themed lures demonstrated the group's agility in social engineering.

Israel-Focused Campaigns (2022-2024)

Following the public attribution by US Cyber Command, MuddyWater intensified operations against Israeli targets, including technology companies, municipal governments, and airline industry organizations. The group deployed a new custom C2 framework called MuddyC2Go, written in Go, replacing their previous PhonyC2 framework. These campaigns coincided with escalating regional tensions and demonstrated MuddyWater's continued evolution despite public exposure.

RMM Tool Abuse Campaigns (2023-2025)

MuddyWater conducted persistent campaigns using legitimate remote monitoring and management tools as C2 mechanisms. The group distributed phishing emails containing links to shared documents on platforms like Egnyte, OneDrive, and Dropbox, which directed targets to download RMM agents (Atera, ScreenConnect, Syncro) pre-configured to connect to attacker-controlled accounts. This technique proved highly effective at evading security controls since the RMM tools are digitally signed and widely whitelisted.

Tactics, Techniques & Procedures

Initial Access: MuddyWater relies almost exclusively on spear-phishing for initial access (T1566.001). Phishing emails typically contain either malicious attachments (macro-enabled documents, HTML files with embedded links) or links to file-sharing platforms hosting malicious payloads. The group invests significant effort in crafting convincing lures themed around government communications, industry reports, conference invitations, and job offers. In recent campaigns, they have shifted from macro documents to distributing legitimate RMM tool installers via file-sharing links, bypassing traditional malware detection.

Execution and Persistence: Historically, MuddyWater used PowerShell extensively for execution, deploying custom frameworks like POWERSTATS. More recently, the group has shifted to using legitimate RMM tools (T1219) for persistent access, which provide built-in capabilities for command execution, file transfer, and screen control. When using custom tools, persistence is achieved through scheduled tasks (T1053.005), registry run keys (T1547.001), and WMI event subscriptions.

Command and Control: MuddyWater has cycled through multiple C2 frameworks: POWERSTATS (PowerShell-based), MuddyC3 (Python-based), PhonyC2 (Python-based), and MuddyC2Go (Go-based). Each framework was developed in response to detection of the previous one. The group also uses compromised legitimate web servers as C2 relay points and embeds C2 data in DNS TXT records. The adoption of legitimate RMM tools as C2 (Atera, ScreenConnect, Syncro) represents a significant evolution, as these tools provide encrypted, authenticated communication channels that are often trusted by network security controls.

Lateral Movement and Collection: After establishing access, MuddyWater uses RDP (T1021.001) and SSH for lateral movement, often leveraging credentials harvested from compromised systems. The group uses PowerShell and WMI for remote execution and deploys tools for Active Directory enumeration. Data collection focuses on email archives, documents related to policy and diplomatic communications, and network architecture information.

Tools & Malware

• MuddyC2Go: The group's latest custom C2 framework, written in Go, discovered in late 2023. Generates PowerShell payloads that establish encrypted communication with the C2 server. Designed to be more resilient to analysis than its Python-based predecessors.
• PhonyC2: A Python-based C2 framework that preceded MuddyC2Go, used to generate and manage PowerShell implants. Source code was partially leaked online, accelerating the transition to MuddyC2Go.
• POWERSTATS (Powermud): MuddyWater's long-running PowerShell backdoor, supporting command execution, file exfiltration, and screenshot capture. Communicates over HTTP with base64-encoded payloads. Multiple variants have been observed since 2017.
• DarkBeatC2: A C2 mechanism that leverages cloud services and DNS for command distribution, observed in operations against Israeli targets.
• Atera Agent: A legitimate RMM tool abused for persistent remote access. MuddyWater distributes pre-configured Atera agents that connect to attacker-controlled tenants.
• ScreenConnect (ConnectWise Control): Another legitimate RMM tool deployed in the same manner as Atera, providing full remote desktop control and file transfer capabilities.
• Syncro: A managed service provider (MSP) platform abused by MuddyWater for remote access and command execution.
• SimpleHarm: A custom loader distributed via phishing emails that downloads and executes subsequent payloads from attacker-controlled infrastructure.
• Mshta.exe Abuse: MuddyWater frequently uses mshta.exe (T1218.005) to execute HTA files containing VBScript, which serves as an initial execution mechanism to deploy further payloads while bypassing application whitelisting controls.

Indicators & Detection

Email and Phishing Detection:

• Monitor for emails containing links to file-sharing platforms (Egnyte, OneDrive, Dropbox, OneHub) that host executable files, MSI installers, or archive files rather than typical document types.
• Be suspicious of emails from government or industry contacts that direct recipients to download software or install remote access tools.
• Implement URL filtering and sandboxing for links to file-sharing platforms in emails.

RMM Tool Monitoring:

• Maintain an inventory of authorized RMM tools in your environment. Any RMM agent installation not sanctioned by IT should be treated as a high-priority alert.
• Monitor for installation of Atera, ScreenConnect, Syncro, SimpleHelp, or other RMM tools, particularly when initiated by email clients, browsers, or Office applications.
• If RMM tools are authorized, monitor for connections to tenants that don't belong to your organization or your managed service providers.

Network-Based Detection:

• Watch for PowerShell scripts making HTTP/HTTPS connections with base64-encoded request bodies, which may indicate POWERSTATS or MuddyC2Go communication.
• Monitor DNS TXT record queries for unusually large responses or high frequency, which may indicate DNS-based C2.
• Detect lateral movement by monitoring for RDP connections originating from servers or non-administrative workstations.

Host-Based Detection:

• Monitor for mshta.exe execution, particularly when spawned by Office applications or executed with command-line arguments pointing to remote URLs.
• Watch for PowerShell execution with heavily obfuscated scripts, especially those using character substitution, base64 encoding, or string concatenation to evade detection.
• Alert on scheduled task creation with PowerShell or mshta.exe execution targets, particularly tasks created by non-administrative users.